Govt data leaking harbinger of cyber security vulnerabilities

Al Amin :
The latest data leak from a Bangladesh government website hints at other vulnerabilities as the country is going for digital banking.

The latest leak exposed birth dates, national identification numbers and other sensitive information of approximately 50 millions of citizens.

Experts and sector insiders said, the leak is a wake up call for the government’s IT infrastructure showing the need for a security overhaul in the public sector when the country is going for digital banking.

Bangladesh’s government has rushed to sort out the cause of a data breach that exposed the personal information of one third of its citizens as well as hurts the country’s cybersecurity reputation.

The data leaked from the website of the Office of the Registrar General, Birth & Death Registration (BDRIS). The breach made sensitive information, including names, birth dates, national identification numbers and payment receipts, accessible through a simple Google search.

The country’s top cybersecurity department took down the exposed data on July 9, but it is still trying to figure out how the lapse occurred, while experts say it would never have happened if appropriate safeguards had been in place.

Jobayer Ahmed, Founder and CEO of RedNode, an OSCE3 certified cybersecurity expert, told The New Nation, “The BDRIS leak is a wake-up call as Bangladesh is going for a digital economy including its banking.”

The latest leak has been casting a harsh spotlight on the country’s cybersecurity shortcomings amid a push for more cashless transactions.

In June, 2023 the Bangladesh Bank approved a framework for digital banks.

In an apparent nod to the risks, the central bank made it mandatory for half of board members at a digital bank to have knowledge and experience in technology-based banking, emerging technologies, cyber laws and regulations.

Jobayer Ahmed said in large organisations, the lines of responsibility for data security can sometimes become blurred.

It is crucial to clearly define who maintains and secures data to ensure that vulnerabilities are promptly identified and addressed, he said.

Organisations become more susceptible to attacks in the absence of a thorough understanding of potential cyber threats and the necessary protective measures.

This lack of knowledge extends from top management, who need to fully comprehend the importance of cybersecurity, to IT staff, who require training in the latest security protocols, he said.

He said lack of continuous assessment is also responsible for any kind of worst condition.
Cybersecurity is an ongoing process rather than a one-time event. Without regular assessments to identify and address vulnerabilities, an organisation’s defenses can become outdated, leaving them vulnerable to breaches. As threats evolve rapidly, security measures must keep pace, he said.

And concerned government agencies must respond quickly to any authentic information on any kinds of hacking or leakages, which are undoubtedly necessary to mitigate as well as to evade worst conditions, he added.

Hasib M Rashid, an independent cybersecurity analyst who has consulted on government projects, said most government websites in Bangladesh are running with outdated security protocols.

“You have to understand that the BDRIS website was one of the government-declared 29 critical information infrastructures,” he said.

“If that is the condition of its data security, we can pretty well assume the situations in hundreds of other government websites,” he said.

U.S.-based news portal TechCrunch broke the news on BDRIS, saying the breach was discovered on June 27 by Viktor Markopoulos, a researcher at South Africa-based company Bitcrack Cyber Security.

Markopoulos reportedly attempted to contact the Bangladeshi e-Government Computer Incident Response Team (CIRT) several times but received no response for more than a week.

The CIRT on Saturday issued a statement saying that it “promptly” addressed the matter and “demonstrated its professionalism and expertise by swiftly initiating a thorough investigation into the matter, leaving no stone unturned in pursuit of understanding the extent and impact of the data breach.”

But Zunaid Ahmed Palak, State Minister for information and communications technology, conceded on Sunday that the portal did not have “minimum security.”

“Despite being warned, the officials of the department concerned did not take it into account,” he told reporters.

Bangladesh’s central bank was famously the target of a major cyberheist.

The Bangladesh Bank Cyber Heist in 2016, where robbers were able to fly away with US $81 million, is considered the world’s largest bank heist in modern history.

Meanwhile, in March 2023, hackers seized 100 gigabytes of data from Biman Bangladesh, a state-owned airliner, and reportedly demanded $5 million. However, the BDRIS leak is another wake-up call — especially as Bangladesh strives to ramp up the digitalisation of its economy.